Retail cyber threats: Increased shopping drives increased risk

As we head into another busy period for retail and e-commerce sales in some regions around the world, cybersecurity software company Imperva has published its annual holiday shopping cybersecurity guide.  

With data provided by the Imperva Threat Research team, the report indicates a number of key threats that could compromise retailers and e-commerce platforms in the coming weeks. Collectively, retail sites experienced an average of 569,884 AI-driven attacks per day during the research period. This means it’s critical for retail businesses to understand the attack vectors they might be exposed to, and protect their company and customers – particularly during sales surges. 

Find out what retail industry leaders should know about cybersecurity and imminent threats during a surge in B2C sales. 

AI threats against retail and e-commerce are on the rise 

The research team analysed data collected between April 2024 and September 2024, revealing the AI-driven threats are putting retail data at risk this year. The proliferation of GenAI tools and LLMs is enabling criminal groups to scale their attacks at minimal cost, and e-commerce platforms are a potentially lucrative target. 

Business logic abuse is a leading threat in online retail, accounting for 30.7% of all attacks. It occurs when cybercriminals exploit the intended functionality of an e-commerce application for nefarious purposes – for example, manipulating promotional codes or return policies in order to access reduced price goods or services. Almost 50% of all retailers surveyed by Imperva had been the target of some form of business logic abuse.  

Bad bot attacks disrupt business functions 

Bad bots are also leveraging AI algorithms to imitate human behaviour on retail platforms and bypass security measures. Bad bot attacks made up 20.8% of all AI-powered attacks against retail sites in Imperva’s research, and they cause serious disruption for retailers – scraping price data, creating fake accounts, running credential stuffing attacks, and more. 

During busy retail periods, threat actors can leverage bad bots to query online inventories and purchase the most popular items of the season; in order to deplete the retailer’s stock, before selling the items elsewhere at a markup. This has a damaging effect on customer trust around high-profile product launches.

DDoS attacks overwhelm retailers 

They’re almost as common as business logic abuse attacks, accounting for 30.6% of AI-driven threats against retailers. Distributed Denial-of-Service (DDoS) attacks are very much on the rise – with Imperva’s 2024 DDoS Threat Landscape report noting that they’ve increased by 61% since 2023. 

At the application layer, cybercriminals leverage DDoS attacks to overwhelm retail websites and render them inoperable. This has a devastating impact on retail sales during busy shopping months.

API attacks are increasingly widespread 

A growing number of retailers rely heavily on application programming interfaces (APIs) to enable transactions and integrate third-party services. As a result, more threat actors are leveraging API violations against retailers – exploiting API vulnerabilities to access and steal sensitive data. 

The retail sector experiences an average of 5,570 API attacks every day, and their potential impact is varied; from data breaches to financial fraud, and loss of customer trust.

How can retailers protect themselves from cyber threats during a shopping surge? 

Before a surge in online traffic, retailers should audit their infrastructure to ensure they can handle the influx of visitors and data processing without compromising on user experience. They should develop a comprehensive bot management strategy to protect all platforms that customers interact with, and implement strong validation measures on all user inputs to guard against business logic abuse attacks.  

Investing in DDoS protection is also essential; and in the current landscape, a DDoS solution should leverage machine learning technology to monitor traffic, identify potentially malicious traffic, and mitigate its impact in real time. And all retailers must have a clear baseline for expected API behaviour to enable them to identify anomalies or API use spikes. 

All retailers planning to make the most of a retail surge should prepare for the threats that come with it; and operate with vigilance. 

Join us at Black Hat MEA 2024 and discover how to improve your organisation’s cyber resilience.